<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Module: ActionController::RequestForgeryProtection::ClassMethods</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" />
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Module</strong></td>
          <td class="class-name-in-header">ActionController::RequestForgeryProtection::ClassMethods</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../../files/vendor/rails/actionpack/lib/action_controller/request_forgery_protection_rb.html">
                vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb
                </a>
        <br />
            </td>
        </tr>

        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">

    <div id="description">
      <p>
Protecting controller actions from CSRF attacks by ensuring that all forms
are coming from the current web application, not a forged link from another
site, is done by embedding a token based on the session (which an attacker
wouldn&#8216;t know) in all forms and Ajax requests generated by <a
href="../../Rails.html">Rails</a> and then verifying the authenticity of
that token in the controller. Only HTML/JavaScript requests are checked, so
this will not protect your XML API (presumably you&#8216;ll have a
different authentication scheme there anyway). Also, GET requests are not
protected as these should be idempotent anyway.
</p>
<p>
This is turned on with the <tt><a
href="ClassMethods.html#M000934">protect_from_forgery</a></tt> method,
which will check the token and raise an
ActionController::InvalidAuthenticityToken if it doesn&#8216;t match what
was expected. You can customize the error message in production by editing
public/422.html. A call to this method in ApplicationController is
generated by default in post-<a href="../../Rails.html">Rails</a> 2.0
applications.
</p>
<p>
The token parameter is named <tt>authenticity_token</tt> by default. If you
are generating an HTML form manually (without the use of <a
href="../../Rails.html">Rails</a>&#8217; <tt>form_for</tt>,
<tt>form_tag</tt> or other helpers), you have to include a hidden field
named like that and set its value to what is returned by
<tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax
requests. To make the token available through a global variable to scripts
on a certain page, you could add something like this to a view:
</p>
<pre>
  &lt;%= javascript_tag &quot;window._token = '#{form_authenticity_token}'&quot; %&gt;
</pre>
<p>
Request forgery protection is disabled by default in test environment. If
you are upgrading from <a href="../../Rails.html">Rails</a> 1.x, add this
to config/environments/test.rb:
</p>
<pre>
  # Disable request forgery protection in test environment
  config.action_controller.allow_forgery_protection = false
</pre>
<h2>Learn more about CSRF (Cross-Site Request Forgery) attacks</h2>
<p>
Here are some resources:
</p>
<ul>
<li><a
href="http://isc.sans.org/diary.html?storyid=1750">isc.sans.org/diary.html?storyid=1750</a>

</li>
<li><a
href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a>

</li>
</ul>
<p>
Keep in mind, this is NOT a silver-bullet, plug &#8216;n&#8217; play, warm
security blanket for your rails application. There are a few guidelines you
should follow:
</p>
<ul>
<li>Keep your GET requests safe and idempotent. More reading material:

<ul>
<li><a
href="http://www.xml.com/pub/a/2002/04/24/deviant.html">www.xml.com/pub/a/2002/04/24/deviant.html</a>

</li>
<li><a
href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1">www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1</a>

</li>
</ul>
</li>
<li>Make sure the session cookies that <a href="../../Rails.html">Rails</a>
creates are non-persistent. Check in Firefox and look for &quot;Expires: at
end of session&quot;

</li>
</ul>

    </div>


   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000934">protect_from_forgery</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">





      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Instance methods</h3>

      <div id="method-M000934" class="method-detail">
        <a name="M000934"></a>

        <div class="method-heading">
          <a href="#M000934" class="method-signature">
          <span class="method-name">protect_from_forgery</span><span class="method-args">(options = {})</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked.
</p>
<p>
Example:
</p>
<pre>
  class FooController &lt; ApplicationController
    # uses the cookie session store (then you don't need a separate :secret)
    protect_from_forgery :except =&gt; :index

    # uses one of the other session stores that uses a session_id value.
    protect_from_forgery :secret =&gt; 'my-little-pony', :except =&gt; :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end
</pre>
<p>
Valid Options:
</p>
<ul>
<li><tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set
which actions are verified.

</li>
<li><tt>:secret</tt> - Custom salt used to generate the
<tt>form_authenticity_token</tt>. Leave this off if you are using the
cookie session store.

</li>
<li><tt>:digest</tt> - Message digest used for hashing. Defaults to
&#8216;SHA1&#8217;.

</li>
</ul>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000934-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000934-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 76</span>
76:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">protect_from_forgery</span>(<span class="ruby-identifier">options</span> = {})
77:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">request_forgery_protection_token</span> <span class="ruby-operator">||=</span> <span class="ruby-identifier">:authenticity_token</span>
78:         <span class="ruby-identifier">before_filter</span> <span class="ruby-identifier">:verify_authenticity_token</span>, <span class="ruby-identifier">:only</span> =<span class="ruby-operator">&gt;</span> <span class="ruby-identifier">options</span>.<span class="ruby-identifier">delete</span>(<span class="ruby-identifier">:only</span>), <span class="ruby-identifier">:except</span> =<span class="ruby-operator">&gt;</span> <span class="ruby-identifier">options</span>.<span class="ruby-identifier">delete</span>(<span class="ruby-identifier">:except</span>)
79:         <span class="ruby-identifier">request_forgery_protection_options</span>.<span class="ruby-identifier">update</span>(<span class="ruby-identifier">options</span>)
80:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>